Cryptocurrency

Auditing Cryptocurrency Companies – The CPA Journal

By 
March 25, 2025
17 mins read


Recent events in the cryptocurrency industry highlight the risks for investors and customers—as well as auditors. This article summarizes the international, U.S. GAAP, and PCAOB auditing standards and practices relevant to audits of crypto companies. To better understand the auditing environment for, and the riskiness of, cryptocurrency companies, the audit reports and financial statements of 55 cryptocurrency companies publicly traded on U.S. markets for the years 2023 and 2022 are examined and profiled. Concerns about recent declines in audit quality in general and audits of cryptocurrency companies specifically are raised. Audits of private cryptocurrency companies are also addressed, including the now infamous FTX. Although progress is being made in accounting and auditing standards, more remains to be done, and further legislative and regulatory actions are needed to protect investors, customers, and other stakeholders.

 

***

 

Activities associated with crypto assets may involve heightened risks to investors, public companies, and broker-dealers, including (but not limited to) high levels of volatility, lack of transparency of parties engaging in transactions and the purpose of such transactions, market manipulation, fraud, theft, scams, and significant legal uncertainties.

—PCAOB (Spotlight, “Inspection Observations Related to Public Company Audits Involving Crypto Assets,” June 2023, p. 3, https://bit.ly/47X8iPs)

As described in the PCAOB quote above, the cryptocurrency industry is inherently risky. Given this context, this article examines the role and responsibilities of the accounting profession to protect the public interest and to adhere to professional standards in conducting audits in the cryptocurrency industry.

The cryptocurrency industry has been volatile, with recent high-profile bankruptcies, lawsuits, and settlements. Two cryptocurrency exchanges and their leaders have been the subject of public notoriety. FTX, a large private cryptocurrency exchange, went bankrupt in November 2022 and its CEO, Sam Bankman-Fried was later indicted and found guilty on seven counts of fraud (David Yaffe-Bellany, Matthew Goldstein, and J. Edward Moreno, “Sam Bankman-Fried Is Found Guilty of 7 Counts of Fraud and Conspiracy,” The New York Times, Nov. 2, 2023, https://bit.ly/3v0cHTS). Bankman-Fried was sentenced to 25 years in prison (Bob Van Voris, Chris Dolmetsch, and Ava Benny-Morrison, “Bankman-Fried is Sentenced to 25 Years in Prison Over FTX Collapse,” Bloomberg, March 28, 2024, https://bit.ly/3yJK5ji). Binance, another large private cryptocurrency exchange, and its CEO, Changpeng Zhao, pleaded guilty to money laundering and other charges. Binance agreed to pay the government more than $4 billion and Zhao agreed to resign as CEO (Department of Justice, “Binance and CEO Plead Guilty to Federal Charges in $4B Resolution,” Nov. 21, 2023, https://bit.ly/3No7USv). Zhao was sentenced to four months in prison (Ava Benny-Morrison, “Binance Founder Changpeng Zhao Gets Four Months in Prison,” Bloomberg, April 30, 2024, https://bit.ly/3WYSuJV).

There are currently thousands of digital currencies, the best-known being Bitcoin and Ethereum. Cryptocurrencies may be used as a method of payment and are traded on crypto exchanges, which may be privately held (e.g., Binance and FTX) or publicly held (e.g., Coinbase Global). There are also numerous other activities and businesses in the cryptocurrency environment, including bitcoin mining companies, fintech and decentralized finance companies, and companies that make significant investments in bitcoin and other cryptocurrencies as their primary business strategy.

Regulatory and Legislative Uncertainty

Regulatory uncertainty surrounding crypto assets translates into on-going business and accounting risks for crypto companies. The SEC regulates securities, and the Commodity Futures Trading Commission (CFTC) regulates commodities. Other than bitcoin, however, which everyone seems to agree is a commodity, there is a lack of agreement on the nature (security or commodity) of most other cryptocurrencies. The crypto industry has lobbied for different regulatory regimes for cryptocurrencies, but the SEC has resisted, citing the sufficiency of existing regulations and precedents for crypto definitions and SEC jurisdictional authority over securities (SEC Chair Gary Gensler, “Statement on the Denial of a Rulemaking Petition Submitted on behalf of Coin-base Global, Inc.,” Dec. 15, 2023, https://bit.ly/3Nt3Sbd). Congress has been considering various legislative bills that would provide definitive legal guidance for how and by which agencies cryptocurrencies should be regulated (Jason Brett, “Congress Creates A Storm Of Crypto Legislation,” Forbes, August 3, 2023, https://bit.ly/41qYAmA). Until there is bipartisan agreement and comprehensive legislation is passed, however, crypto companies will continue to face associated business risks and possible uncertainty when accounting for specific types of crypto assets.

Applicable Professional Standards

Global standards for financial reporting are primarily promulgated by FASB, which sets Generally Accepted Accounting Principles for both public and private companies in the United States, and the International Accounting Standards Board (IASB), which provides accounting standards for most of the rest of the world through its International Financial Reporting Standards (IFRS). Under existing IFRS, accounting for cryptocurrency holdings falls under either IAS 2, Inventories (if crypto-currencies are held for sale as part of business operations), or IAS 38, Intangible Assets. Under IFRS guidelines, both decreases and increases in the fair value of crypto assets are recognized using a fair value approach. Under U.S. GAAP, crypto assets are treated as intangible assets with indefinite useful lives and are valued at cost less impairment with subsequent increases in value not recognized, in accordance with ASC 350.

In March 2023, FASB issued an exposure draft on “accounting for and disclosure of crypto assets” (see W.M. VanDenburgh, R.B. Daniels, and R. DeLaurell, “FASB Takes on Crypto,” The CPA Journal, November 2023, https://bit.ly/413LFXG). In December 2023, FASB issued ASU 2023-08, Accounting for and Disclosure of Crypto Assets, (https://bit.ly/41nKH8P). The ASU provides for reporting the fair value of crypto assets, the reporting of gains as well as losses, and other disclosures, for assets that meet FASBs carefully defined set of criteria. ASU 2023-08 is effective for fiscal years beginning after December 15, 2024, and early adoption is permitted. This is an important step toward clarity for cryptocurrency company preparers, auditors, and investors.

There has been strong resistance to the PCAOB proposal from the auditing profession, but it has received positive feedback from investors. As a result of this resistance and the recent election results, the PCAOB has put the proposal on hold.

Global Standards.

Accountants may be subject to standards promulgated by one or more standard setters for auditing standards, quality controls standards, and ethical standards.

The International Federation of Accountants (IFAC) is a global standards-setting body whose members include 180 “professional accountancy organizations” (https://ifac.org/who-we-are/membership). IFAC sets global auditing, ethics, and quality management standards for accountants and IFAC members, which include the American Institute of Certified Public Accountants (AICPA) and Chartered Professional Accountants of Canada (CPA Canada). IFAC members have a responsibility to support the “adoption and implementation of international standards and other pronouncements issued.”

The IFAC framework includes the Forum of Firms, “an independent association of international networks of firms that perform transnational audits” (https://bit.ly/410C0Rl). Currently, there are 34 such networks, which include the Big Four. The Forum of Firms commits to maintaining and following, “to the extent practicable,” the IFAC standards in their work. Accounting firms may also be regulated by other bodies in their jurisdiction or jurisdictions in which their clients file financial statements, with the PCAOB being an example for companies that are publicly traded in the United States.

The following standards are particularly relevant to audits of cryptocurrency clients, due to the risk and complexity associated with the industry.

Acceptance and continuance of client relationships and specific engagements.

Acceptance and continuance of clients and engagements are critical tools for risk management, particularly for risky clients such as crypto companies. Quality management for accounting firms is covered by several professional standards, including the Auditing Standard Board’s Statement on Quality Management Standards (SQMS) No. 1 and the International Auditing and Assurance Standards Board’s International Standard on Quality Management (ISQM) 1. Firms should accept or continue client relationships and specific engagements only after assessing the “integrity and ethical values of the client (including management, and, when appropriate, those charged with governance)” and “the firm’s ability to perform the engagement in accordance with professional standards and applicable legal and regulatory requirements” (SQMS 1, para. 31, https://bit.ly/3WuJPh7; ISQM 1, para. 30, https://bit.ly/4aqhpe9). The PCAOB adopted, and the SEC approved, a new “integrated, risk-based” quality control standard for all registered public accounting firms (PCAOB, A Firm’s System of Quality Control, May 13, 2024, https://bit.ly/3XolNUT). The new standard has an effective date of December 15, 2025, and includes acceptance and continuance of engagements.

Noncompliance With Laws and Regulations (NOCLAR).

A recent development in ethical standards is the responsibility of auditors to respond to noncompliance with laws and regulations that may have a direct or indirect effect on the amounts and disclosures in a client’s financial statements or other important compliance matters. Standards for “non-compliance with laws and regulations” (NOCLAR) were first adopted internationally by the International Ethics Standards Board for Accountants (IESBA, effective July 15, 2017), which is now integrated in the IESBA Code of Ethics (IESBA, 2024, Section 360, https://bit.ly/47ZQIdW) and International Standard on Auditing (ISA) 250 (https://bit.ly/47vHneF). Canadian Auditing Standards adopted NOCLAR as part of CAS 250 in response to ISA 250, effective December 15, 2018 (https://bit.ly/3Xpba4d).

As a member of IFAC, the AICPA’s Professional Ethics Executive Committee issued similar NOCLAR requirements as part of the AICPA Code of Professional Conduct, effective June 30, 2023 (see Cathy Allen, “NOCLAR: What CPAs in Public Practice Need to Know,” Journal of Accountancy, Nov. 1, 2022, https://tinyurl.com/bp6y7j4c). Likewise, the PCAOB proposed NOCLAR standards for auditors of public companies (https://bit.ly/3RhGu1P). There has been strong resistance to the PCAOB proposal from the auditing profession, due to the potential for increased liability and audit costs, but it has received positive feedback from investors (M. Friedlich, “Concerns Abound over NOCLAR Proposal to Widen Auditor Duties,” Accounting Today, April 2, 2024, https://bit.ly/4haqp9G). As a result of this resistance and the recent election results, the PCAOB has put the proposal on hold (Michael Cohn, “PCAOB Calls Off NOCLAR for this Year,” Accounting Today, Nov. 15, 2024, https://bit.ly/3BbeWqO). Instead, they issued a “Spotlight” to remind auditors about their responsibilities for illegal acts (PCAOB, “Spotlight: Auditor Responsibilities for Detecting, Evaluating, and Making Communications About Illegal Acts,” November 2024, https://bit.ly/4fSziUK).

NOCLAR provides additional opportunities and responsibilities for auditors to address illegal acts that they find while conducting an audit. Examples in the existing IESBA and AICPA standards and discussed in the PCAOB proposal that are relevant to cryptocurrency include fraud, money laundering, and environmental laws. It remains to be seen whether NOCLAR will eventually be required for U.S. public company audits.

Risk of material misstatement.

The audit risk model (which includes inherent risk, control risk, and detection risk) provides a framework for addressing all kinds of audit issues. Auditors consider inherent risk and control risk to assess the risk of material misstatement in an audit client’s financial statements. Risk guidance, particularly for inherent risk, was recently updated in SAS 145 (Understanding the Entity and Its Environment and Assessing the Risks of Material Misstatements, October 2021, https://tinyurl.com/mrxwp6ve), effective for audits of financial statements ending on or after December 15, 2023. [According to the standard itself, SAS 145 was developed using ISA 315 “as the base starting point.” International Standards on Auditing (ISA) are issued by the International Auditing and Assurance Standards Board (IAASB). SAS 145 is codified in AU-C Section 315].

SAS 145 and ISA 315 provide guidance for assessing “the applicable financial reporting framework” for the audit client, with consideration of “accounting for unusual or complex transactions, including those in controversial or emerging areas (for example, accounting for cryptocurrency).” In addition to professional guidance, academic researchers have addressed cryptocurrency auditing challenges, such as assessing inherent risk (S.A. Harrast, D. McGilsky, and Y. Sun, “Determining the Inherent Risks of Cryptocurrency: A Survey Analysis,” Current Issues in Auditing, 2022, https://bit.ly/3t2pvID) and the business risk of auditing cryptocurrency companies as well as the related challenges and recommendations by practitioners (E. Pimental, E. Boulianne, S. Eskandari, and J. Clark, “Systemizing the Challenges of Auditing Blockchain-Based Assets,” Journal of Information Systems, 2021, https://bit.ly/3NbqRaJ). In May 2020, the PCAOB (“Audits Involving Cryptoassets,” 2020, https://bit.ly/3R3urVE) issued information for auditors and audit committees related to inspections of audits of public companies with crypto assets, reminding auditors of their responsibilities. Specific examples for audits of crypto assets are included in the PCAOB document.

Audits of Publicly Traded Cryptocurrency Companies

To understand the role of auditors and auditing in the cryptocurrency industry, 55 “cryptocurrency” companies traded in the United States on the NYSE, Nasdaq, or over-the-counter markets were selected for analysis. The companies were selected through developing a potential list of publicly traded cryptocurrency companies by: 1) searching companies whose SEC annual filings included the word “cryptocurrency” (using the Wharton Research Data Services SEC Analytic Suite) and 2) conducting a Google search for “publicly traded crypto-currency companies.” The list was reduced by qualitatively eliminating companies without a substantial portion of their business associated with the cryptocurrency industry. The final sample of 55 entities is not intended to be a comprehensive or complete list of cryptocurrency companies, but it should provide an adequate, if imperfect, sample to review attributes of publicly traded cryptocurrency companies. Audited financial statements and audit reports were examined for the two most recent fiscal years, 2023 and 2022 (41 companies have a calendar year-end of December 31). Exhibit 1 lists these companies.

EXHIBIT 1

List of Publicly Traded Cryptocurrency Companies

Abits Group (1); Coinbase Global; Mercurity Fintech Applied Digital; Core Scientific; Metaworks Platforms Argo Blockchain; Cryptoblox Technologies (2); MicroStrategy Incorporated Ault Alliance (formerly BitNile); Cypher Metaverse; MOGO Bakkt Holdings; Defi (3); Neptune Digital Assets BANXA; Digihost Technologies; New World Solutions (5) Bigg Digital Assets; DMG Blockchain Solutions; Nu Holdings Bit Digital; Grayscale Bitcoin Trust (4); Prairie Operating (6) Bit Mining; Greenidge Generation Holdings; Riot Platforms Bitdeer Technologies; HIVE Digital Technologies; Rocketfuel Blockchain Bitfarms; Hut 8 Mining; RYVYL Bitmine Immersion Technologies; Intchains Group; Sai.Tech Global Block, Inc.; INX Ltd; Soluna Holdings Blockmint Technologies; Integrated Ventures; Sphere 3D Corp BTCS INC.; Iris Energy; Stronghold Digital Mining Canaan Inc; LQWD Fintech; Terawulf Cathedra Bitcoin; LUXXFOLIO; Tokens.Com Cipher Mining; Marathon Digital Holdings CleanSpark; Mawson Infrastructure 1. Merged with Moxian and became Abits Group Inc., November 2023. 2. Trades primarily on the Canadian Securities Exchange but also has traded on the U.S. OTC market. 3. Formerly Valour. 4. Became an Exchange-Traded Fund (ETF) in January 2024. 5. Formerly Graph Blockchain. 6. Merged with Creek Road Miners and became Prairie Operating Co., November 2023. In January 2024, the company disposed of all bitcoin mining equipment and left the cryptocurrency industry.Abits Group (1); Coinbase Global; Mercurity Fintech Applied Digital; Core Scientific; Metaworks Platforms Argo Blockchain; Cryptoblox Technologies (2); MicroStrategy Incorporated Ault Alliance (formerly BitNile); Cypher Metaverse; MOGO Bakkt Holdings; Defi (3); Neptune Digital Assets BANXA; Digihost Technologies; New World Solutions (5) Bigg Digital Assets; DMG Blockchain Solutions; Nu Holdings Bit Digital; Grayscale Bitcoin Trust (4); Prairie Operating (6) Bit Mining; Greenidge Generation Holdings; Riot Platforms Bitdeer Technologies; HIVE Digital Technologies; Rocketfuel Blockchain Bitfarms; Hut 8 Mining; RYVYL Bitmine Immersion Technologies; Intchains Group; Sai.Tech Global Block, Inc.; INX Ltd; Soluna Holdings Blockmint Technologies; Integrated Ventures; Sphere 3D Corp BTCS INC.; Iris Energy; Stronghold Digital Mining Canaan Inc; LQWD Fintech; Terawulf Cathedra Bitcoin; LUXXFOLIO; Tokens.Com Cipher Mining; Marathon Digital Holdings CleanSpark; Mawson Infrastructure 1. Merged with Moxian and became Abits Group Inc., November 2023. 2. Trades primarily on the Canadian Securities Exchange but also has traded on the U.S. OTC market. 3. Formerly Valour. 4. Became an Exchange-Traded Fund (ETF) in January 2024. 5. Formerly Graph Blockchain. 6. Merged with Creek Road Miners and became Prairie Operating Co., November 2023. In January 2024, the company disposed of all bitcoin mining equipment and left the cryptocurrency industry.

For the purposes of this survey, all references to the size of companies are based on market capitalizations as of December 29, 2023. Exhibit 2 presents the auditors and number of audit clients for the sample. In 2023 (2022), Marcum had the most clients, with 6 (7), followed by KPMG, with 5 (5), of which only one is conducted by a U.S. office of KPMG. In 2023 (2022), the Big Four audited 10 (9) of the total sample, but they audited 5 (4) of the 10 largest companies. None of the smallest 20 companies were audited by the Big Four in either year. In both years, less than 20% of the sample was audited by the Big Four. These results are consistent with more careful client selection by Big Four firms (see, e.g., D. Aobdia, L. Enache, and A. Srivastava, “Changes in Big N Auditors’ Client Selection and Retention Strategies Over Time,” Review of Quantitative Finance and Accounting, 2021, https://doi.org/10.1007/s11156-020-00907-8).

EXHIBIT 2

Auditors and Number of Clients

Auditor; Affiliate(s); 2023; 2022 Marcum LLP* (New York 3, Costa Mesa, Los Angeles 2, San Francisco); DFK Intl., ECOVIS, LEA, MARCUMBP, MARCUMRBK; 6; 7 KPMG (McLean, Virginia) (Vancouver 2) (Sao Paulo) (Beijing); KPMG Intl.; 5; 5 MaloneBailey (Houston); Nexia Intl.; 5; 4 Kingston Ross Pasknak (Edmonton, Canada); None; 4; 4 Audit Alliance (Singapore); AGN Intl., Allinial Global; 3; 3 Raymond Chabot Grant Thornton (Montreal); Grant Thornton Intl.; 3; 3 Davidson & Company LLP (Vancouver); Nexia Intl.; 2; 1 Deloitte (San Francisco); Deloitte Touche Tohmatsu; 2; 1 Ernst & Young (Atlanta, San Francisco); Ernst & Young Global; 2; 2 Kenway Mack Slusarchuk Stewart LLP (Calgary); DFK Intl.; 2; 1 PKF Antares, Prof. Corp. (Calgary, Alberta, Canada); PKF Intl.; 2; 1 RSM (Toronto 2, Minneapolis); RSM Intl.; 1; 3 BF Borgers CPA PC (Lakewood, CO); None; 1; 2 BakerTilly (Vancouver); Baker Tilly Intl.; 1; 1 Ham, Langston and Brezina LLP (Houston); None; 1; 0 HDCPA Professional Corp (Ontario, Canada); AmeriServ Network; 1; 0 Integritat CPA (Boca Raton, FL); RSM Intl.; 1; 1 Kost Forer Gabbay & Kasierer (Tel-Aviv); Ernst & Young Global; 1; 1 M&K CPAS, PLLC (Houston); None; 1; 1 Mazars USA LLP (New York); Mazars; 1; 1 NVS Professional Corporation (Ontario, Canada); RSM Intl.; 1; 1 Onestop Assurance PAC (Singapore); None; 1; 1 PKF Littlejohn LLP (London); PKF Intl.; 1; 1 PwC (Toronto, Canada); PricewaterhouseCoopers Intl.; 1; 1 RBSM LLP (Las Vegas); None; 1; 1 Simon & Edward LLP (Rowland Heights, California); BDO; 1; 1 Turner, Stone & Company LLP (Dallas); INAA; 1; 0 UHY LLP (Albany, New York); UHY Intl.; 1; 1 Urish Popeck & Co LLC (Pittsburgh); Urish Popeck & Co; 1; 1 Wolf & Company LLC (Boston); Allinial Global; 1; 0 Armanino (Dallas); Moore Global Network; 0; 2 LNP Audit and Assurance Intl. (Sydney); None; 0; 1 MaughanSullivan LLC (Manchester, VT); None; 0; 1 Prager Metis (Hackensack, New Jersey); Prager Metis Intl.; 0; 1 Total; 55; 55 Note: Boldfaced affiliations are members of the Forum of Firms. A full list of members can be found at https://bit.ly/410C0Rl. “None” indicates no information about an affiliation is available on the firm's website. * Marcum acquired Friedman LLP in 2023, which had been the auditor of Graystone Bitcoin Trust since 2015. The 2022 audit reports were signed by Marcum LLP.Auditor; Affiliate(s); 2023; 2022 Marcum LLP* (New York 3, Costa Mesa, Los Angeles 2, San Francisco); DFK Intl., ECOVIS, LEA, MARCUMBP, MARCUMRBK; 6; 7 KPMG (McLean, Virginia) (Vancouver 2) (Sao Paulo) (Beijing); KPMG Intl.; 5; 5 MaloneBailey (Houston); Nexia Intl.; 5; 4 Kingston Ross Pasknak (Edmonton, Canada); None; 4; 4 Audit Alliance (Singapore); AGN Intl., Allinial Global; 3; 3 Raymond Chabot Grant Thornton (Montreal); Grant Thornton Intl.; 3; 3 Davidson & Company LLP (Vancouver); Nexia Intl.; 2; 1 Deloitte (San Francisco); Deloitte Touche Tohmatsu; 2; 1 Ernst & Young (Atlanta, San Francisco); Ernst & Young Global; 2; 2 Kenway Mack Slusarchuk Stewart LLP (Calgary); DFK Intl.; 2; 1 PKF Antares, Prof. Corp. (Calgary, Alberta, Canada); PKF Intl.; 2; 1 RSM (Toronto 2, Minneapolis); RSM Intl.; 1; 3 BF Borgers CPA PC (Lakewood, CO); None; 1; 2 BakerTilly (Vancouver); Baker Tilly Intl.; 1; 1 Ham, Langston and Brezina LLP (Houston); None; 1; 0 HDCPA Professional Corp (Ontario, Canada); AmeriServ Network; 1; 0 Integritat CPA (Boca Raton, FL); RSM Intl.; 1; 1 Kost Forer Gabbay & Kasierer (Tel-Aviv); Ernst & Young Global; 1; 1 M&K CPAS, PLLC (Houston); None; 1; 1 Mazars USA LLP (New York); Mazars; 1; 1 NVS Professional Corporation (Ontario, Canada); RSM Intl.; 1; 1 Onestop Assurance PAC (Singapore); None; 1; 1 PKF Littlejohn LLP (London); PKF Intl.; 1; 1 PwC (Toronto, Canada); PricewaterhouseCoopers Intl.; 1; 1 RBSM LLP (Las Vegas); None; 1; 1 Simon & Edward LLP (Rowland Heights, California); BDO; 1; 1 Turner, Stone & Company LLP (Dallas); INAA; 1; 0 UHY LLP (Albany, New York); UHY Intl.; 1; 1 Urish Popeck & Co LLC (Pittsburgh); Urish Popeck & Co; 1; 1 Wolf & Company LLC (Boston); Allinial Global; 1; 0 Armanino (Dallas); Moore Global Network; 0; 2 LNP Audit and Assurance Intl. (Sydney); None; 0; 1 MaughanSullivan LLC (Manchester, VT); None; 0; 1 Prager Metis (Hackensack, New Jersey); Prager Metis Intl.; 0; 1 Total; 55; 55 Note: Boldfaced affiliations are members of the Forum of Firms. A full list of members can be found at https://bit.ly/410C0Rl. “None” indicates no information about an affiliation is available on the firm's website. * Marcum acquired Friedman LLP in 2023, which had been the auditor of Graystone Bitcoin Trust since 2015. The 2022 audit reports were signed by Marcum LLP.

A profile of the 55 companies is provided in Exhibit 3. Of the 10 largest companies in 2023, only three were foreign filers (Nu Holdings, Hut 8 Mining, and Bitdeer Technologies). Of the 10 smallest companies, six were foreign companies and all six filed through SEDAR+ [System for Electronic Data Analysis and Retrieval+, the “Canadian Securities Administrator’s national system that all market participants will use for filings, disclosures, payments and information searching in Canada’s capital markets” (https://bit.ly/3GAJ5P7)]. Most foreign companies use IFRS accounting standards instead of U.S. GAAP. Auditors’ reports on the financial statements are based on the relevant auditing and financial reporting standards.

EXHIBIT 3

Profile of the 55 Publicly Traded Companies, 2023 (unless noted)

▪ 28 companies traded on the Nasdaq, 22 traded OTC, and 5 traded on the NYSE or AMEX. ▪ 25 filed a 10-K or 10-KA; 30 companies are foreign companies, of which 11 filed a 20-F*, and 19 filed using SEDAR+. ▪ Market capitalization ranged from just over $240,000 to just over $47 billion. ▪ Market capitalization categories: 4 large cap ($10 billion or more), 4 mid cap ($2–$10 billion), 12 small cap ($300 million to $2 billion), 11 micro-cap ($50–$300 million, and 24 nano-cap (less than $50 million). ▪ All 55 companies had unqualified audit reports. ▪ In 2023 (2022), 47 (51) companies reported losses. ▪ Year-over-year, 13 companies reported a bigger loss, 30 companies reported a smaller loss, 8 companies went from a loss to a profit, and 4 companies went from a profit to a loss. No company reported a profit in both years. ▪ Of the 10 largest companies, 2 are foreign companies, while 6 of the smallest 10 companies are foreign companies. ▪ IFRS is used by 22 companies as the basis for their financial statements. ▪ In 2023 (2022), 23 (25) companies had going concern explanatory paragraphs. None of the 10 largest companies had a going concern paragraph, but the 10 smallest companies all had a going concern paragraph. ▪ In 2023 (2022), 48 (47) of the companies did not require an auditor opinion on ICFR because they are non-accelerated filers, smaller reporting companies, emerging growth companies, or foreign companies. ▪ In 2023 (2022), for the 7 (8) companies that had required auditor reports on ICFR, 5 (6) had unqualified opinions and 2 (2) had adverse opinions. ▪ In 2023 (2022), of the companies that did not have required auditor reports on ICFR, management of 9 (12) companies reported one or more material weaknesses in internal controls. ▪ In 2023 (2022), 36 (30) audit reports included either Critical Audit Matters (CAM) or Key Audit Matters (KAM). * An SEC Form 20-F is an annual report filing for non-U.S. and non-Canadian companies that have securities traded in the United States (https://bit.ly/3NcUnx1).▪ 28 companies traded on the Nasdaq, 22 traded OTC, and 5 traded on the NYSE or AMEX. ▪ 25 filed a 10-K or 10-KA; 30 companies are foreign companies, of which 11 filed a 20-F*, and 19 filed using SEDAR+. ▪ Market capitalization ranged from just over $240,000 to just over $47 billion. ▪ Market capitalization categories: 4 large cap ($10 billion or more), 4 mid cap ($2–$10 billion), 12 small cap ($300 million to $2 billion), 11 micro-cap ($50–$300 million, and 24 nano-cap (less than $50 million). ▪ All 55 companies had unqualified audit reports. ▪ In 2023 (2022), 47 (51) companies reported losses. ▪ Year-over-year, 13 companies reported a bigger loss, 30 companies reported a smaller loss, 8 companies went from a loss to a profit, and 4 companies went from a profit to a loss. No company reported a profit in both years. ▪ Of the 10 largest companies, 2 are foreign companies, while 6 of the smallest 10 companies are foreign companies. ▪ IFRS is used by 22 companies as the basis for their financial statements. ▪ In 2023 (2022), 23 (25) companies had going concern explanatory paragraphs. None of the 10 largest companies had a going concern paragraph, but the 10 smallest companies all had a going concern paragraph. ▪ In 2023 (2022), 48 (47) of the companies did not require an auditor opinion on ICFR because they are non-accelerated filers, smaller reporting companies, emerging growth companies, or foreign companies. ▪ In 2023 (2022), for the 7 (8) companies that had required auditor reports on ICFR, 5 (6) had unqualified opinions and 2 (2) had adverse opinions. ▪ In 2023 (2022), of the companies that did not have required auditor reports on ICFR, management of 9 (12) companies reported one or more material weaknesses in internal controls. ▪ In 2023 (2022), 36 (30) audit reports included either Critical Audit Matters (CAM) or Key Audit Matters (KAM). * An SEC Form 20-F is an annual report filing for non-U.S. and non-Canadian companies that have securities traded in the United States (https://bit.ly/3NcUnx1).

The overall results shown in Exhibit 3 are consistent with the common preconception that cryptocurrency is an emerging, risky industry. The companies were overwhelmingly smaller companies, with 35 in the micro-cap or nano-cap categories. Of the U.S. companies, 14 filed as “emerging growth companies.” In 2023 (2022), 47 (51) companies reported losses, with not one company reporting profits in both years, demonstrating the challenges of profitability in the crypto industry. The 2023 results were not much better than 2022, even though the cryptocurrency market had turned around after hitting a low point in November 2022. The market capitalization of all cryptocurrencies (bitcoin) had reached a low of about $936 billion ($302 billion) in November 2022 but had recovered by the end of 2023 to about $1.7 trillion ($825 billion) (https://coingecko.com). In fact, three of the eight companies reporting a profit in 2023 did so through early adoption ASU 2023-08, which provided sufficient unrealized gains on bitcoin to turn a loss into a profit. Given the number of companies with losses, it is not surprising that auditors added a going concern paragraph to their audit report in 2023 (2022) for 23 (25) of the 55 companies. All ten of the smallest companies had going concern paragraphs in their audit reports, while none of the largest ten companies had a going concern paragraph. Under section 404 of the Sarbanes-Oxley Act of 2002, U.S. public companies are required to assess and report on internal controls over financial reporting (ICFR). This is required of management in all cases [SOX section 404(a)]. Auditors of larger public companies, deemed accelerated or large accelerated filers, must also evaluate and render an opinion on the client’s effectiveness of ICFR. Auditors of smaller companies, deemed non-accelerated filers, or small reporting companies, or emerging growth companies, are not required to render an opinion on ICFR [SOX section 404(b)]. In 2023 (2022), there were 47 (48) companies that did not require the auditor to render an opinion on the effectiveness of ICFR. Of the eight companies whose auditors were required to report on ICFR in 2023, six had unqualified opinions and two had adverse opinions. Of the 47 (48) remaining companies, management of 11 (15) of the companies reported one or more material weaknesses. Recently, Bedrock AI identified 19 publicly traded crypto mining companies and found that 16 of the 19 (84%) had disclosed material weaknesses in ICFR at some point during the past four years (A. Castillo, “FTX: Anomaly or Norm? Field Notes on the Crypto Mining Space,” 2022, https://bit.ly/3T7AMSF).

There is no information available about the audit quality for the specific audits of the 55 companies in the sample. There is, however, evidence of a general increase in “flawed” audits.

The audit reports for the sample of companies were also reviewed for inclusion of Critical Audit Matters (CAMs) or Key Audit Matters (KAMs). The PCAOB instituted CAMs for public company auditors for fiscal years on or after December 15, 2020 (PCAOB, 2017, https://bit.ly/485hRvO). The requirement for large accelerated filers was one year earlier. The CAMs requirements apply to “smaller reporting companies” but do not apply to “emerging growth companies.” A similar standard for KAMs was adopted by the IAASB in 2014 as International Standards on Auditing (ISA) 701 (https://bit.ly/3XnF4We) and by the ASB as AU-C Section 701. ISA 701 applies to “listed entities,” which includes the companies discussed here. AU-C Section 701 applies to private company audits in the United States. Among other things, a “critical audit matter is any matter arising from the audit of the financial statements that was communicated or required to be communicated to the audit committee” and “involved especially challenging, subjective, or complex auditor judgment” (PCAOB AS 3101.11, https://bit.ly/3NzazZk).

In 2023 (2022), either CAMs or KAMs were included in the audit reports of 36 (30) of the companies in the sample. The additional auditor comments did not exist just for smaller companies, with 9 of the 10 largest companies including CAMs in their 2023 audit report. Although the reasons varied, many of the CAMs and KAMs were specifically related to cryptocurrency matters. For example, CAMs and KAMs included descriptions of audit procedures for “evaluation of the accounting for and disclosure of bitcoin mining revenue recognized” and “customer crypto assets, crypto assets held, and USDC-crypto assets held in cold storage.”

This sample of publicly traded cryptocurrency companies provides insights into the characteristics of the crypto-currency industry. The companies were overwhelmingly smaller companies audited by non-Big Four firms. In general, these companies are struggling financially and have numerous accounting and auditing challenges.

Ongoing Audit Quality Concerns for Public Company Audits

Audit quality remains a concern for regulators, investors, and other interested parties. There is no information available about the audit quality for the specific audits of the 55 companies in the sample. There is, however, evidence of a general increase in “flawed” audits. Based on the most recent publicly available PCAOB inspection reports, “serious” audit deficiencies increased “for nearly every category of the 157 audit firms the PCAOB inspected in 2022,” on which Erica Williams, chair of the PCAOB, commented “a 40% Part 1.A deficiency rate is completely unacceptable” (PCAOB, Chair Williams Statement on Rise in Audit Deficiency Rates, July 25, 2023, https://bit.ly/3KhFZRZ). Recent actions against some of the specific auditors in the sample of 55 companies are also troubling. Marcum, LLP, the auditor for six companies in the sample in 2023 and seven in 2022, agreed to pay a $10 million penalty to settle SEC charges that it had “systematic quality control failures and violations of audit standards in connection with audit work for hundreds of special purpose acquisition company (SPAC) clients” and these problems were “not limited to SPAC clients, but reflected systemic quality control failures throughout the firm” (SEC, “SEC Charges Audit Firm Marcum LLP for Widespread Quality Control Deficiencies,” June 21, 2023, https://bit.ly/3yJICcM). MaloneBailey, LLP, the auditor for five companies in the sample in 2023 and four companies in 2022, was fined $400,000 by the PCAOB for “pervasive quality control violations” (PCAOB, “Imposing a $400,000 Fine, PCAOB Sanctions MaloneBailey, LLP for Pervasive Quality Control Violations,” May 21, 2024, https://bit.ly/3R1g6K8). The PCAOB found that BF Borgers CPA PC, an accounting firm that audited two companies in the sample for 2022 and one company for 2023, had significant deficiencies in all 11 audits reviewed in 2022 (PCAOB, “2022 Inspection BF Borgers CPA PC,” Nov. 7, 2023, https://bit.ly/3VidKJt). In a separate action, the SEC charged BF Borgers CPA PC with “deliberate and systematic failures to comply with” PCAOB standards “in more than 500 public company SEC filings” (Securities and Exchange Commission, “SEC Charges Audit Firm BF Borgers and Its Owner with Massive Fraud Affecting More than 1,500 SEC Filings,” May 3, 2024, https://bit.ly/4bRcwdx). BF Borgers and the owner settled the charges by agreeing that the firm would pay $12 million, Benjamin Borgers would pay $2 million, and both were permanently suspended “from appearing and practicing before the Commission as accountants.”

There were 19 companies in the sample that filed annual financial results through the Canadian SEDAR+ system. Fifteen of the 19 audit reports were issued by 11 firms that followed Canadian Generally Accepted Auditing Standards. Similar to the PCAOB, the Canadian Public Accountability Board (CPAB) inspects accounting firms conducting audits for Canadian issuers (CPAB, https://bit.ly/3R6nG6b). In 2023, the CPAB imposed enforcement actions on three firms conducting audits in the sample—BF Borgers CPA PC, PKF Antares, and Marcum LLP, including terminating BF Borgers CPA PC (CPAB, Resource Centre, https://bit.ly/4dXLbIr). In May 2024, the CPAB provided “insights and illustrative examples” for auditing crypto companies, noting that they “identified significant findings” in 23 of 33 audit files inspected from 2020 to 2023 for reporting issuers “with crypto-asset activities” (CPAB, “Crypto Asset Inspections Insights,” May 2024, https://bit.ly/4bAMUSj). This information indicates the CPAB is aware of certain quality concerns for specific auditors and that crypto companies are high risk audits that require increased audit attention.

There continue to be many concerns with the nascent crypto industry. There are some positive developments, however, not the least of which is FASB’s newly issued authoritative guidance on accounting and disclosure for crypto assets (ASU 2023-08).

Audits of Private Crypto Companies and the Case of FTX

Audits of publicly traded crypto-currency industry companies carry their own risks, but audits of private cryptocurrency companies have less visibility and less scrutiny (the AICPA’s Peer Review Program brings the most notable form of scrutiny). Nevertheless, the impact on investors, customers, and the public can be significant. A Bloomberg News 2023 survey of 60 “major” crypto companies found that “only a handful of the 60 firms are publicly traded and beholden to certain regulatory standards” (E. Nicolle, “Crypto’s Most Influential Companies Often Follow Their Own Rules—Even After FTX’s Collapse,” Bloomberg, May 15, 2023, https://bit.ly/3NTq52L). The survey results showed that about half of the companies have annual financial audits and 63% have an independent board with at least one non-executive member. There were 10 companies without an independent board member and 7 without independent audits; 22 of the 60 respondents did not provide information about independent audits.

FTX, a privately held crypto company, was ranked fifth among the largest cryptocurrency exchanges by trading volume through November 9, 2022 (Reuters, “Top Crypto Exchanges by Volume,” 2022, https://bit.ly/3GtpJeP). On November 11, 2022, FTX.com and 130 affiliated companies declared bankruptcy. The visibility of high-profile bankruptcies and frauds in the crypto industry and related audit issues has led to scrutiny of the audit profession by Congress. For example, in a letter addressed to the chair of the PCAOB, two United States senators questioned “the role that auditors may have played in misleading the public about financial soundness of crypto companies” (Elizabeth Warren and Ron Wyden, “Letter to Erica Y. Williams,” Jan. 25, 2023, https://bit.ly/3Rpv2RR). In the letter, they question the quality of audits by Armanino and Prager Metis of FTX.US and FTX (International), respectively, as well as the standards to which the auditors should have been held.

When FTX declared bankruptcy, Bankman-Fried was relieved of his position as CEO and replaced by John J. Ray III. In a filing with the bankruptcy court, Ray stated that “Never in my career have I seen such a complete failure of corporate controls and such a complete absence of trustworthy financial information as occurred here” (John J. Ray III, Nov. 17, 2022, https://bit.ly/3NfjEGV). One allegation against Bankman-Fried was that he and other employees misled auditors and withheld information about comingling customer funds (United States v. Bankman-Fried, 2023, p. 12, https://bit.ly/46LiGZH). Bankman-Fried then used the audited financial statements to “falsely reassure customers and investors that FTX had proper risk management controls and systems for storing customer accounts” (p. 13). Bankman-Fried then used the audited financial statements to “falsely reassure customers and investors that FTX had proper risk management controls and systems for storing customer accounts” (p. 13).

The bankruptcy disclosures raise questions about how the auditors were able to provide unqualified opinions for a company that had few or no controls. In a public company or private company audit, the auditor must still understand the client and its control environment, including the client’s internal control relevant to the audit (AU-C section 315; ISA 315). Auditors must assess and document the risk of material misstatements and the impact on the assessment of the client’s control environment and ICFR on the audit risk model and for “designing the nature, timing and extent of substantive procedures.” Both AU-C 315 and ISA 315 note the auditor may determine that “substantive procedures alone do not provide sufficient appropriate audit evidence.” A class-action suit against numerous defendants includes alleged violations of professional standards by Armanino and Prager Metis in their audits (In Re: FTX Cryptocurrency Exchange Collapse Litigation, U.S. District Court S.D. of Florida, “Administrative Class Action Complaint and Demand for Jury Trial: Auditor Defendants,” August 8, 2023, https://bit.ly/3RxWmOS). In a recent settlement with the SEC, Prager Metis agreed to pay $1.95 million related to SEC complaint charges for “negligence-based fraud” for its FTX audits and previous auditor independence violations and the accounting firm agreed to “undertake remedial actions” (SEC, “Audit Firm Prager Metis Settles Charges for Negligence in FTX Audits and for Violating Auditor Independence Requirements,” Sep. 17, 2024, https://bit.ly/41hdspu). Although the bankruptcy documents and lawsuit also raise questions about the audits by Armanino, there have been no definitive conclusions about any mistakes or wrongdoings from a court of law or by regulators.

Going Forward

There continue to be many concerns with the nascent crypto industry. There are some positive developments, however, not the least of which is FASB’s newly issued authoritative guidance on accounting and disclosure for crypto assets (ASU 2023-08). CPA firms, particularly the Big Four, are developing auditing tools to address crypto assets, and professional organizations are providing non-authoritative guidance for their members (e.g. AICPA & CIMA, “Accounting for and Auditing of Digital Assets Practice Aid,” Sep. 30, 2023, https://bit.ly/41jeM9t). As outlined above, there are numerous professional standards that are relevant to audits of crypto clients. There are also revised professional guidance and crypto practice updates from the PCAOB and others. The reputation of individual accounting firms and the profession require every auditor to pay close attention to relevant auditing and attestation standards before issuing an opinion; not every entity may be capable of being audited.

Legislation from the U.S. Congress that specifically addresses the regulatory landscape for cryptocurrency is critical to protecting investors, customers, and other stakeholders in the cryptocurrency industry. Comprehensive legislation would also reduce business risk and accounting uncertainties, which would then reduce some audit risks. Based upon the risk factors surrounding the crypto regulatory environment listed in many of the 10-Ks in the sample companies, the most important issues to be resolved include the status of crypto assets as either “securities” or “commodities” and the related concern about which regulatory agency is responsible for making that determination and overseeing the industry.

For crypto mining companies, primarily bitcoin miners, there is uncertainty about environmental regulations related to the significant energy requirements for mining. As noted above, there have been numerous legislative proposals. There has also been independent analysis of what is needed (e.g., U.S. Government Accountability Office, “Blockchain in Finance,” 2023, https://bit.ly/3MRVlOl). The House of Representatives passed a crypto bill, but it has received mixed reviews and was not passed by the Senate (J. Shapiro, “House Passes Bill Outlining new Framework for Crypto Regulation Despite SEC Pushback,” The Hill, May 22, 2024, https://bit.ly/4e13kVy). The November elections, however, resulted in a “pro-crypto” president-elect and Congress going into 2025, which will likely lead to different legislation (Ryan Browne, “Coinbase Policy Chief Expects Speedy Approval of Crypto Laws Following Trump’s Victory,” CNBC, Dec. 2, 2024, https://bit.ly/3B0iJas).





Source link

Leave a Reply

Your email address will not be published. Required fields are marked *